Tidal Forces: Software as a Service Is the New Back Office

It no longer makes sense to run your own mail server in your data center. Or file servers. Or a very long list of enterprise applications. Unless you are on a very very short list of organizations. Running enterprise applications in an enterprise data center is simply an anachronism in progress. A quick peek at the balance sheets of the top tier Software as a Service providers shows the transition to SaaS continues unabated.

Buying and maintaining enterprise applications, such as mail servers, files servers, ERP, CRM, ticketing systems, HR systems, and all the other organs of a functional enterprise has never been core to any organization. It was something we did out of necessity, reducing the availability of resources better used to achieving whatever mission someone wrote out and pasted on a wall. That isn’t to say using back-office systems better, running them more efficiently, or leveraging them to improve business operations didn’t offer value, but really, at the heart of things, all the cost and complexity of keeping them running has mostly been a drag on operations and budgets.

In an ideal world SaaS wipes out major chunks of capital investments and reduces the operational overhead of maintaining the basil metabolic rate of the enterprise, freeing cash and people to build and run the things that make the organization different, competitive, and valuable. It isn’t like major M&A press releases cite “excellent efficiency in load balancing mail servers” or “global leaders in SharePoint server maintenance” as reasons for big deals. And SaaS reduces reliance on corporate networks – freeing employees to work at their kids’ sporting events and on cruise ships.

SaaS offers tremendous value, but it is the Wild West of cloud computing. Top tier providers are strongly incentivized to prioritize security through sheer economics. A big breach at an enterprise-class SaaS provider is a likely existential event. (Okay, perhaps it would take two breaches to knock one into ashes). But smaller providers are often self- or venture-backed startups, more concerned with growing market share and adding features, hoping to stake their claims in the race to own the frontier. Security is all fine and good so long as it doesn’t slow things down or cost too much.

Like our other Tidal Forces I believe the transition to SaaS will be a net gain for security, but one without pain or pitfalls. It is driving a major shift in security processes, controls, and required tooling and skills. There will be winners and losers, both professionally and across the industry.

The Wild West demands strong survival instincts. Major SaaS providers for back-office applications can be significantly more secure than the equivalent application running in your own data center, where resources are constrained by budgets and politics. The key word in that sentence is can. Practically speaking we are still early in the move to SaaS, with as wide a range of security as we have opportunistic terrain. Risk assessment for SaaS doesn’t fit neatly within the usual patterns, and isn’t something you can resolve with site visits or a contract review. One day, perhaps, things will settle down, but until then it will take a different cache of more technical assessment skills set to avoid ending up with some cloud-based dysentery.

There are fewer servers to protect. As organizations move to SaaS they shut down entire fleets of their most difficult-to-maintain servers. Email servers, CRM, ERP, file storage, and more are all replaced with software subscriptions and web browsers. These transitions occur at different paces with differing levels of difficulty, but the end result is always fewer boxes behind the firewall to protect.

There is no security consistency across SaaS providers. I’m not talking about consistent levels of security, but about which security controls are available and how you configure them. Every provider has its own ways of managing users, logs (if they have them), entitlements, and other security controls. No two providers are alike, and each uses its own provider-specific language and documentation to describe things. Learning these for a dozen services might not be too bad, but some organizations use dozens or hundreds of different SaaS providers.

SaaS centralizes security. Tied of managing a plethora of file servers? Just move to SaaS to gain omniscient views of all your data and what people are doing with it. SaaS doesn’t always enable security centralization, but when it does it can significantly improve overall security compared to running multiple, disparate application stacks for a single function. Yes, there is a dichotomy here; as the point above mentions, every single SaaS provider has different interfaces for security. In this case we gain advantages, because we no longer need to worry about the security of actual servers, and for certain functions we can consolidate what used to be multiple, disparate tools into a single service.

The back office is now on the Internet and with always encrypted connections. All SaaS is inherently Internet accessible, which means anywhere and anytime encrypted access for employees. This creates cascading implications for traditional ways of managing security. You can’t sniff the network because it is everywhere, and routing everyone home through a VPN (yes, that is technically possible) isn’t a viable strategy. And a man-in-the-middle attack on your users is a doozy for security. Without the right controls credential theft enables someone to access essential enterprise systems from anywhere. It’s all manageable but it’s all different. It’s also a powerful enabler for zero trust networks.

Even non-SaaS back offices will be in the cloud. Don’t trust a SaaS service? Can’t find one that meets your needs? The odds are still very much against putting something new in your data center – instead you’ll plop it down with a nice IaaS provider and just encrypt and manage everything yourself.

The implications of these shifts go far deeper than not having to worry about securing a few extra servers. (And please pour one out for your email admins). They require a fundamental rethinking of some established security processes, a few of which will deeply impact both the profession and industry.

Bumps in the wire are incompatible with SaaS. Much of our security, especially monitoring, relies on sniffing or proxying connections between our users and the destination application. Data Loss Prevention and malware analysis are just two easy examples. As mentioned above, throwing a security box between a user and a service reduces security by breaking an already-secure and trusted connection. That’s assuming you can even convince management to route all your users through some sort of VPN (or block off-network access) in the first place. Have fun with those help desk calls. Adding friction to a process that’s adopted to reduce friction and increase agility is rarely good for long-term prospects.

Perimeter security, especially monitoring and filtering, needs to be fundamentally rearchitected for SaaS. This is the direct consequence of the previous point. Even if you can put a bump in the wire, you certainly won’t get to install several (see the next point, about CASB). DLP? Malware analysis? You’d better integrate with your cloud provider directly or become merely a feature of a CASB or something similar. Are you a security pro who wants to keep an eye on everything? Get used to relying only on logs from your cloud provider – you won’t be able to sniff anything, and as we explained in the endpoint security post, you can’t depend on monitoring on employee devices.

CASB/Cloud Security Gateways, or something like them, are here to stay and already a commodity. Cloud Access and Security Brokers are a security overlay for SaaS. Technically these are two different markets which Gartner decided to lump together because of analyst infighting (seriously). One side is focused on mediating access via federated identity to a wide range of cloud services. The other is all about discovering, monitoring, and protecting cloud services, but eventually both will be totally commoditized. CASB works best when the cloud service offers robust security APIs so it doesn’t need to be a bump in the wire. The bad news is that a lot of cloud services suck at security and don’t enable security APIs, so we have to use a total hack job of a security control, which actually reduces security to enable security management. No, I don’t like the approach at all, and I hope it dies a horrible death quickly, as clients pressure cloud providers to open up APIs. In the meantime we already see bigger vendors buying CASB and integrating it with other core platforms, which is rapidly commoditizing the market. It’s one of the easier ways for existing vendors to buy into the cloud, because it doesn’t take an entirely new way of thinking of the world to see value.

Zero Trust networks will become the norm, and are more secure anyway. The concept of Zero Trust networks is relatively new, but I have seen it working in real substantial organizations. The idea is that once you migrate to SaaS (and IaaS) because everyone is using encrypted connections to talk to everything, so you no longer need to trust your network at all. Employees either go over a TLS connection or VPN to a destination. The best implementations compartmentalize everyone who plugs into the corporate network so they can only access the Internet. Every network port is a direct line to the outside world, with no special access to scan, sniff, talk to, or even see anything else on the inside. Every connection an employee makes is encrypted. Every individual service and application is compartmentalized. Think it isn’t possible or doesn’t scale? Are you bigger and more special than Google? Once again we take hits in monitoring, filtering, and perimeter security as we walk down this path.

Expect to see industry-specific SaaS providers and big trouble with compliance. Some sectors fundamentally need deeper monitoring for compliance purposes, especially in financial services. Broker/traders are very high on the list, along with some government agencies. They struggle to use off-the-shelf SaaS, and are often either driven to industry-specific cloud options or run their own infrastructure inside IaaS. There will likely be some sort of a break here, and I honestly have no idea how it will play out,

Again I am probably missing things here. The upshot of the transition to SaaS is that we get to shut down a lot of things which are real pains in the ass to keep secure. We can implement much more secure networks, with encryption baked in. We get to centralize security for some of our peskiest application categories. But in exchange we can no longer monitor things like we used to, we need to adopt new ways of managing a very diverse set of security controls across diverse services, and the security market will get very messy as traditional vendors acquire and integrate CASB, but many of them will screw it up as they try to catch up and stay current in a rapidly changing world.

Contact

About

Securosis is an information security research and advisory firm dedicated to transparency, objectivity, and quality. We are totally obsessed with improving the practice of information security. Our job is to save you money and help you do your job better and faster by helping you cut through the noise and providing clear, actionable, pragmatic advice on securing your organization.